cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5968
Views
0
Helpful
53
Replies

How to NAT Client VPN to Site-to-Site vpn?

gray25251
Level 1
Level 1

I have a site-to-site vpn connection to a remote client site that can be accessed from the servers in the following access list

access-list MATCHJLS extended permit ip 78.129.xxx.0 255.255.255.128 object-group DM_INLINE_NETWORK_1 

object-group network DM_INLINE_NETWORK_1
 network-object host 172.19.60.52
 network-object host 172.19.60.53
 network-object host 172.19.60.68
 network-object host 172.19.60.69
 network-object host 172.19.60.84
 network-object host 172.19.60.85
 network-object host 172.19.60.86

I would also like 10.1.1.0/24 and 10.255.255.0/24 to access the remote site but the admin onsite says that NAT

should be used with the existing access and they won't add the additional rules due to a possible ip conflict.

I'm not sure how to do this. Any advice would be much appreciated.

53 Replies 53

Perfect. Now it's clear.

1. First test connectivity from LAN

nat (inside) 11 access-list  policy-nat

global (outside) 11 78.129.151.86 (or any other free address)

2. If step 1 is working, test connectivity for vpn users

nat (outside) 10 access-list  policy-nat-two

global (outside) 10 78.129.151.85

---

Michal

Thanks Michal

We are getting there...

1st test works ok. I can now access servers on remote site from systems on 10.1.1.0/24

VPN connection still cannot reach the remote site however.

These are the commands I sent -

Result of the command: "nat (inside) 11 access-list  policy-nat"

The command has been sent to the device

Result of the command: "global (outside) 11 78.129.151.105"

INFO: Global 78.129.151.105 will be Port Address Translated

Result of the command: "nat (outside) 10 access-list  policy-nat-two"

The command has been sent to the device

Result of the command: "global (outside) 10 78.129.151.106"

INFO: Global 78.129.151.106 will be Port Address Translated

OK, try to add:

nat (inside) 10 access-list  policy-nat-two

---

Michal

Result of the command: "nat (inside) 10 access-list  policy-nat-two"

The command has been sent to the device

Still not able to ping servers. Any ideas?

Config seems correct, let's verify it. please put results:

sh access-list policy-nat-two

sh run nat

sh run static

sh run global

---

Michal

Thanks Michal

Here you go:

Result of the command: "sh access-list policy-nat-two"

access-list policy-nat-two; 7 elements; name hash: 0x9bb12beb

access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 0x4ccb1229

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.52 (hitcnt=0) 0x14b3f1b2

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.53 (hitcnt=0) 0xa64102f8

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.68 (hitcnt=0) 0x084d4d6b

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.69 (hitcnt=0) 0x11efd931

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.84 (hitcnt=0) 0xb81c7575

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.85 (hitcnt=0) 0x0d4c0fd0

  access-list policy-nat-two line 1 extended permit ip 10.255.255.0 255.255.255.0 host 172.19.60.86 (hitcnt=0) 0x3609c421

Result of the command: "sh run nat"

nat (Outside) 10 access-list policy-nat-two

nat (Inside) 0 access-list NONAT

nat (Inside) 11 access-list policy-nat

nat (Inside) 10 access-list policy-nat-two

nat (Inside) 1 10.1.1.0 255.255.255.0

nat (Inside) 1 10.2.2.0 255.255.255.0

Result of the command: "sh run static"

The command has been sent to the device

Result of the command: "sh run global"

global (Outside) 1 interface

global (Outside) 11 78.129.151.105

global (Outside) 10 78.129.151.106

OK, it's good. Please test using Packet-tracer:

packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det

--

Michal

Here you go-

Result of the command: "packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group allow in interface Inside

access-list allow extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac7fdb00, priority=12, domain=permit, deny=false

hits=8218854, user_data=0xa8a026c0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac7b5738, priority=0, domain=inspect-ip-options, deny=true

hits=10460483, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac7b53b0, priority=66, domain=inspect-icmp-error, deny=false

hits=575728, user_data=0xac7b5298, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 10 access-list policy-nat-two

  match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52

    dynamic translation to pool 10 (78.129.151.106)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 10.255.255.10/0 to 78.129.151.106/45655 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in  id=0xad432ec0, priority=2, domain=nat, deny=false

hits=1, user_data=0xad31e720, cs_id=0x0, flags=0x0, protocol=0

src ip=10.255.255.0, mask=255.255.255.0, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 10 access-list policy-nat-two

  match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52

    dynamic translation to pool 10 (78.129.151.106)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad3f2390, priority=2, domain=host, deny=false

hits=2, user_data=0xad31e720, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.255.255.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad44a158, priority=70, domain=encrypt, deny=false

hits=6, user_data=0x0, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Please add highlighted line on the no-nat ACL.

access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

access-list NONAT extended permit ip 10.255.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

that's weird, could you test similar packet-tracer but for LAN:

packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det

?

I will compare difference.

We should not disable NAT for that traffic (mentioned NONAT rule), because

but the admin onsite says that NAT

should be used with the existing access and they won't add the additional rules due to a possible ip conflict

That means that remote side does not know (and does not want to know) how to respond to 10.255.255.0.

---

Michal

Here you go-

Result of the command: "packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group allow in interface Inside

access-list allow extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac7fdb00, priority=12, domain=permit, deny=false

hits=8219841, user_data=0xa8a026c0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac7b5738, priority=0, domain=inspect-ip-options, deny=true

hits=10461761, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac7b53b0, priority=66, domain=inspect-icmp-error, deny=false

hits=575760, user_data=0xac7b5298, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 11 access-list policy-nat

  match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52

    dynamic translation to pool 11 (78.129.151.105)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 10.1.1.10/0 to 78.129.151.105/6130 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in  id=0xac4566b0, priority=2, domain=nat, deny=false

hits=1, user_data=0xad6c32f0, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.1.0, mask=255.255.255.0, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 11 access-list policy-nat

  match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52

    dynamic translation to pool 11 (78.129.151.105)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad4a64b0, priority=2, domain=host, deny=false

hits=5154, user_data=0xad6c32f0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.1.1.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad386010, priority=70, domain=encrypt, deny=false

hits=1, user_data=0x2eceae4, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Phase: 9

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group allow out interface Outside

access-list allow extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac7fd888, priority=12, domain=permit, deny=false

hits=8302462, user_data=0xa8a02740, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12471061, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

Great. We have a difference.

Both types of traffic (LAN and remote VPN) are first correctly translated and then in step 8 we try to encrypt.

For remote VPN we have drop and "user_data=0x0" while for working scenario

user_data is not 0 and traffic is encrypted correctly.

#working for LAN traffic

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad386010, priority=70, domain=encrypt, deny=false

hits=1, user_data=0x2eceae4, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x00000000

#non working for remote vpn traffic

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad44a158, priority=70, domain=encrypt, deny=false

hits=6, user_data=0x0, cs_id=0xac4635a0, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x00000000

It might be the bug - but i can not confirm it now.

Could you try to:

no crypto map VPNPEER 1 match address MATCHJLS

(wait 5 seconds)

crypto map VPNPEER 1 match address MATCHJLS

Then test.

Also (this one will break all tunnels for 5 seconds):

no crypto map VPNPEER interface Outside

(wait 5 seconds)

crypto map VPNPEER interface Outside

Then test.

---

Michal

Hi Michal

Not sure I did those instructions entirely correct...

Here is the output. I waited 5 seconds where you specified. No change on access through client vpn.

Result of the command: "no crypto map VPNPEER 1 match address MATCHJLS"

WARNING: The crypto map entry will be incomplete!

Result of the command: "crypto map VPNPEER 1 match address MATCHJLS"

The command has been sent to the device

Result of the command: "no crypto map VPNPEER interface Outside"

The command has been sent to the device

Result of the command: "crypto map VPNPEER interface Outside"

The command has been sent to the device

OK, so removing/adding crypto-acl and crypto-map did not help.

We have 2 options:

1. You use pretty old 8.2.2. You can try with this image

asa825-33-k8.bin

And test with that version.

2. Call cisco TAC (you can ask there for me to be assigned to this case).

To troubleshoot it i would need to display some internal tables. It''s not a good place/way do troubleshoot that.

---

Michal

Thanks Michal

I tried to download the image but do not have a contract. The router is rented through our hosting provider. I'm not sure they will upgrade it for us but I can check on Monday.

Do you have any alternative suggestions?

Kind Regards

Graham

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: